Installing the latest version of lerna leads to yarn audit vulnerabilities (yargs-parser)

[kaiyoma]

> mkdir test
> cd test
> yarn init -y
yarn init v1.22.4
warning The yes flag has been set. This will automatically answer yes to all questions, which may have security implications.
success Saved package.json
Done in 0.09s.
> yarn add lerna
yarn add v1.22.4
info No lockfile found.
[1/4] Resolving packages...
warning lerna > @lerna/bootstrap > @lerna/run-lifecycle > npm-lifecycle > node-gyp > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...

success Saved lockfile.
success Saved 402 new dependencies.
...
Done in 44.49s.

> yarn audit
yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/publish > @lerna/version >                    │
│               │ @lerna/conventional-commits > conventional-changelog-core >  │
│               │ conventional-changelog-writer > meow > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/version > @lerna/conventional-commits >       │
│               │ conventional-changelog-core > conventional-changelog-writer  │
│               │ > meow > yargs-parser                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/publish > @lerna/version >                    │
│               │ @lerna/conventional-commits > conventional-changelog-core >  │
│               │ conventional-commits-parser > meow > yargs-parser            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/version > @lerna/conventional-commits >       │
│               │ conventional-changelog-core > conventional-commits-parser >  │
│               │ meow > yargs-parser                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/publish > @lerna/version >                    │
│               │ @lerna/conventional-commits > conventional-recommended-bump  │
│               │ > conventional-commits-parser > meow > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/version > @lerna/conventional-commits >       │
│               │ conventional-recommended-bump > conventional-commits-parser  │
│               │ > meow > yargs-parser                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
6 vulnerabilities found - Packages audited: 41311
Severity: 6 Low
Done in 1.15s.

[invalidred]

Noticed the same thing this morning in our repo. We have latest version 3.22.0.

[JamesHenry]

Hi Folks 👋

You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).

Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.

We hope you will continue to be a part of this community as we look to take things forward from here!

Please see #3140 for more details on our plans for 2022.

In the case of this specific issue, the relevant packages have been updated and you will no longer see any npm audit issues when using the v5 releases of lerna we have cut since we took over.

If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions:
https://github.com/lerna/lerna/issues/new/choose

Many thanks 🙏